Login/Register
Firefox WebExtension - How to obtain and modify content of cross domain iframe
Asked Answered
Solved javascriptjqueryfirefoxiframefirefox-addon-webextensions
G

1

13

I would like to know how to access and modify the contents of a cross domain iframe in JavaScript within a Firefox WebExtension. I understand the limitations of normal JavaScript and that modifying a cross domain iframe would be an XSS vulnerability, but I believe there is some way to do it in a WebExtension that I cannot find. I believe this because the legacy extension manifests had options for allowing cross domain content in the permissions section.

When viewing old code for the legacy versions of FireFox extensions, there seems to be options for cross domain content for certain websites in the fashion below. Although for the new FireFox WebExtension, this is not a feature listed in the documentation.

"cross-domain-content": ["https://www.example.com"]

Here is my manifest.json file.

{
  "manifest_version": 2,
  "name": "Test Extension",
  "version": "1.0",
  "content_scripts": [
    {
      "matches": ["*://*/*"],
      "all_frames": true,
      "js": [
        "js/main.js"
      ]
    }
  ],
  "permissions": [
    "*://*/*",
    "<all_urls>",
  ]
}

Here is my main.js file.

// Code is being run within an iframe ("all_frames": true)
if (window != window.top) {
  // Attempt to log the source of the parent iframe
  // If cross domain, met throws - Error: Permission denied to access property "frameElement"
  console.log(window.parent.frameElement.src);
}

As you can see in the main.js file, when attempting to print the source for the parent iframe an error is thrown as below.

Error: Permission denied to access property "frameElement"

I want to know how it would be possible to allow a FireFox WebExtension to access and modify the contents of a cross domain iframe. I'm not sure if it is a problem of not putting down the right permission in the manifest, or that I have to use the WebExtension API or something, I just can't find anything on this.

Additionally, if anyone could refer or provide me some examples of modifying the contents of an iframe in this fashion, it would be much appreciated.

Grater answered 23/3, 2017 at 6:11 Comment(5)
I'm already doing this, you can see this with the code I provided for my manifest file. This does not allow me permission to modify cross domain iframes, it only runs my JavaScript file within the main tab and any iframes within it.Grater
Did you even bother to read my post? I literally gave my code examples with exactly what you are describing. That is the entire basis of my question, I'm wondering why I am not able to access the content this way.Grater
Ok, my bad, I actually didn't read carefully. So the problem is not that you can't access the inner iframe, but that you can't access the parent window from this inner iframe.Hydrostat
So the sandbox allow-top-navigation parameter doesn't seem to work on cross-origin frames whatever we do, but you can still use window.parent.postMessage to communicate between the iframe and the main document. The script you injected in the frame has the same restrictions as the framed document.Hydrostat
I'm indebted to you for mentioning the all_frames option which I didn't know existed and is not documented whatsoever! This allows my content.js to be loaded within every frame, so that each can manage its own iframe or top level document, which means I don't have to worry about cross domain or iframe onload events or anything.Sipes
C
6

Directly accessing cross-domain content is not possible

Directly accessing cross-domain content is not, or at least should not, be possible. While there may be a way around this restriction (I have not looked exhaustively), it would not be intentional and would be considered a bug.

Unlike other types of Firefox extensions, WebExtensions are granted permissions to access content on, at most, a domain by domain basis. This is regardless of you specifying "<all_urls>", or "*://*/*" in your manifest.json permissions. Specifying multiple domain permissions does not open up access to cross-domain content. Opening up access to cross-domain content would be a more complex problem, which would, potentially, have its own set of security related bugs. As a result, specifying multiple domains in your permissions just permits you to inject scripts/CSS into multiple matching URLs, without special access to cross-domain content. Thus, there should not be a way to directly access content in, or from, a cross-domain iframe.

Cross-domain content must be accessed with a script injected in that frame

If you want to access that cross-domain content, you must inject a script in the iframe, or top level window, which you desire to access. As mentioned, your ability to inject such scripts/CSS is one of the things controlled by permissions. You can then use message passing (either from/to the content scripts in the top frame/child frame, or relayed through a background script) to communicate between the scripts you have injected in the cross-domain frames.

Given that you are already injecting scripts into <all_urls>, and all_frames, you will just need to implement one of the methods of communicating between them mentioned above. You will then need to request the information you need from the other script, or pass the information to the other script for processing.

Crespo answered 23/3, 2017 at 17:32 Comment(2)
A long post with actual answer buried deep at the end (the last sentence is, technically, the seed of actual solution). You can do better!Franz
@Xan, Yeah, it was a bit of a wall of text. I added some formatting (h2 headings), and expanded a bit. Are you suggesting that access/injecting another script and/or passing messages should be gone into in more detail (i.e. code)? I'm currently of the opinion that they should not be covered in significant detail, as they are really separate questions.Crespo

© 2022 - 2024 — McMap. All rights reserved.